Merge branch 'release/0.9.0.0'

.eslintrc

@@ -2,7 +2,8 @@
  "env": {
  "browser": true,
  "jasmine": true,
- "jquery": true
+ "jquery": true,
+ "es6": true
  },
 
  "globals": {
@@ -15,7 +16,6 @@
  "Handlebars": false,
  "HandlebarsTemplates": false,
  "ImagePaths": false,
- "jsxc": false,
  "L": false,
  "OSM": false,
  "PerfectScrollbar": false,
@@ -97,7 +97,7 @@
  "no-catch-shadow": 0,
  "no-class-assign": 2,
  "no-cond-assign": 2,
- "no-confusing-arrow": 2,
+ "no-confusing-arrow": [2, {"allowParens": true}],
  "no-console": 2,
  "no-const-assign": 2,
  "no-constant-condition": 2,

.github/workflows/ci.yml

@@ -15,8 +15,8 @@ jobs:
  fail-fast: false
  matrix:
  ruby:
- - 2.7
- - 2.6
+ - '3.2'
+ - '3.3'
  db:
  - mysql
  - postgresql
@@ -44,11 +44,11 @@ jobs:
  - 5432:5432
  steps:
  - name: Install system dependencies
- run: sudo apt update && sudo apt install -y build-essential curl git gsfonts imagemagick libcurl4-openssl-dev libidn11-dev libmagickwand-dev libssl-dev libxml2-dev libxslt1-dev
+ run: sudo apt update && sudo apt install -y build-essential curl git gsfonts imagemagick libcurl4-openssl-dev libidn11-dev libmagickwand-dev libssl-dev libxml2-dev libxslt1-dev yarnpkg
  - name: Start MySQL
  run: sudo systemctl start mysql.service
  if: matrix.db == 'mysql'
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v3
  - uses: ruby/setup-ruby@v1
  with:
  ruby-version: ${{ matrix.ruby }}

.github/workflows/lint.yml

@@ -0,0 +1,62 @@
+## SECURITY WARNING:
+##
+## Do not change this job unless you know what you're doing.
+##
+## This GitHub Action runs on: pull_request_target, which means the jobs run in
+## a context where they have access to a Access Token with write access to the
+## target repo, even if the PR is opened from an external contributor from their
+## fork.
+##
+## This means that if we're not careful, we could be running third-party code
+## within an authenticated scope, which isn't good. To mitigate this, this
+## implementation does:
+##
+## 1. checkout the target branch (i.e. the project's original sources)
+## 2. install the Gems from there, and install them into a directory that's
+## outside the repository contents.
+## 3. checkout the PRs HEAD
+## 4. restore a bunch of files that would allow code execution from the
+## project's upstream sources, namely:
+## - bin/bundle - we'll run that in our Job
+## - Gemfile/Gemfile.lock - to avoid loading a gem with an identical
+## version number from a in-repo vendored directory
+
+name: Lint
+on:
+ pull_request_target:
+
+permissions:
+ contents: read
+ statuses: write
+ pull-requests: write
+
+jobs:
+ pronto:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Install system dependencies
+ run: sudo apt update && sudo apt install -y build-essential curl git gsfonts imagemagick libcurl4-openssl-dev libidn11-dev libmagickwand-dev libssl-dev libxml2-dev libxslt1-dev yarnpkg
+ - name: Checkout Target branch
+ uses: actions/checkout@v3
+ with:
+ ref: ${{ github.base_ref }}
+ fetch-depth: 0
+ - uses: ruby/setup-ruby@v1
+ with:
+ ruby-version: "3.1"
+ bundler-cache: true
+ - name: Checkout PR HEAD
+ run: |
+ git fetch -q origin +refs/pull/${{ github.event.pull_request.number }}/head:
+ git checkout -qf FETCH_HEAD
+ - name: Restore the bundle binstub and Gemfiles from the target branch
+ run: |
+ git restore -s ${{ github.base_ref }} -- bin/bundle
+ git restore -s ${{ github.base_ref }} -- Gemfile
+ git restore -s ${{ github.base_ref }} -- Gemfile.lock
+ - name: Run Pronto
+ run: bin/bundle exec pronto run -f github_status github_pr_review -c ${{ github.base_ref }}
+ env:
+ PRONTO_PULL_REQUEST_ID: ${{ github.event.pull_request.number }}
+ PRONTO_GITHUB_ACCESS_TOKEN: ${{ github.token }}
+

.gitignore

@@ -1,8 +1,3 @@
-# XMPP certificates, keys and user data
-config/certs/*.crt
-config/certs/*.key
-config/prosody.cfg.lua
-
 # Trademark sillyness
 app/views/home/_show.*
 app/views/terms/terms.*

.rubocop.yml

@@ -1,7 +1,7 @@
 require: rubocop-rails
 
 AllCops:
- TargetRubyVersion: 2.6
+ TargetRubyVersion: 3.0
  NewCops: enable
  Exclude:
  - "bin/**/*"
@@ -39,7 +39,7 @@ Metrics/PerceivedComplexity:
 
 # Some blocks are longer.
 Metrics/BlockLength:
- ExcludedMethods:
+ AllowedMethods:
  - "namespace"
  - "create_table"
  Exclude:
@@ -73,6 +73,11 @@ Layout/HashAlignment:
  EnforcedHashRocketStyle: table
  EnforcedColonStyle: table
 
+# This rule makes haml files less readable, as there is no 'end' there.
+Layout/CaseIndentation:
+ Exclude:
+ - "app/views/**/*"
+
 # Mixing the styles looks just silly.
 Style/HashSyntax:
  EnforcedStyle: ruby19_no_mixed_keys
@@ -168,6 +173,11 @@ Style/Documentation:
 Naming/BinaryOperatorParameterName:
  Enabled: false
 
+# Defining constants in tests is fine, and it's good to have them close to the test where they are used.
+Lint/ConstantDefinitionInBlock:
+ Exclude:
+ - "spec/**/*"
+
 # There are valid cases, for example debugging Cucumber steps,
 # also they'll fail CI anyway
 Lint/Debugger:

.ruby-version

@@ -1 +1 @@
-2.7
+3.3

.scss-lint.yml

@@ -70,7 +70,7 @@ linters:
  enabled: true
 
  IdSelector:
- enabled: true
+ enabled: false
 
  ImportantRule:
  enabled: true

Changelog.md

@@ -1,3 +1,102 @@
+# 0.9.0.0
+
+## New configuration file!
+
+Diaspora\* now uses TOML for the configuration file. We recommend you to migrate to this new format, as with the next major release (1.0) diaspora\* will no longer read the YAML based configuration file at `config/diaspora.yml`. To do so, please copy `config/diaspora.toml.example` to `config/diaspora.toml` and migrate your configuration.
+
+## API!
+
+With the release of diaspora\* Version 0.9, we now officially support building applications on top of the diaspora\* API! Please check out [the official API documentation](https://diaspora.github.io/api-documentation/) for instructions, and please do file bugs if you notice something that could be improved!
+
+We are looking forward to seeing many creative applications!
+
+## The chat integration has been removed
+
+After [a discussion with our community on Discourse](https://discourse.diasporafoundation.org/t/2718), we decided to remove the pieces of XMPP chat integration that were put in place a while ago. When we first added the chat support, we merged the implementation in an unfinished state in the hopes that the open issues will be addressed eventually, and the implementation would end up more polished. This ended up not being the case. After careful consideration and discussion, we did not manage to come up with clear reasons why we need a chat implementation, so we decided that the best way forward would be to remove it.
+
+Although the chat was never enabled per default and was marked as experimental, some production pods did set up the integration and offered an XMPP service to their users. After this release, diaspora\* will no longer contain a chat applet, so users will no longer be able to use the webchat inside diaspora\*. The existing module that is used to enable users to authenticate to Prosody using their diaspora\* credentials will continue to work, but contact list synchronization might not work without further changes to the Prosody module, which is developed independently from this project.
+
+## Changes around the appserver and related configuration
+
+With this release, we switched from `unicorn` to `puma` to run our applications. For podmins running the default setup, this should significantly reduce memory usage, with similar or even better frontend performance! However, as great as this change is, some configuration changes are required.
+
+- The `single_process_mode` and `embed_sidekiq_worker` configurations have been removed. This mode was never truly a "single-process" mode, as it just spawned the Background Workers inside the runserver. If you're using `script/server` to start your pod, this change does not impact you, but if you're running diaspora\* using other means, and you relied on this "single"-process mode, please ensure that Sidekiq workers get started.
+- The format of the `listen` configuration has changed. If you have not set that field in your configuration, you can skip this. Otherwise, make sure to adjust your configuration accordingly:
+ - Listening to Unix sockets with a relative path has changed from `unix:tmp/diaspora.sock` into `unix:https://tmp/diaspora.sock`.
+ - Listening to Unix sockets with an absolute path has changed from `unix:/run/diaspora/diaspora.sock` to `unix:https:///run/diaspora/diaspora.sock`.
+ - Listening to a local port has changed from `127.0.0.1:3000` to `tcp:https://127.0.0.1:3000`.
+- The `PORT` environment variable and the `-p` parameter to `script/server` have been removed. If you used that to run diaspora\* on a non-standard port, please use the `listen` configuration.
+- The `unicorn_worker` configuration has been dropped. With Puma, there should not be a need to increase the number of workers above a single worker in any pod of any size.
+- The `unicorn_timeout` configuration has been renamed to `web_timeout`.
+- **If you don't run your pod with `script/server`**, you have to update your setup. If you previously called `bin/bundle exec unicorn -c config/unicorn.rb` to run diaspora\*, you now have to run `bin/puma -C config/puma.rb`! Please update your systemd-Units or similar accordingly.
+
+## Yarn for frontend dependencies
+
+We use yarn to install the frontend dependencies now, so you need to have that installed. See here for how to install it: https://yarnpkg.com/en/docs/install
+
+## Suggested Ruby version: 3.3
+
+We recommend setting up new pods using Ruby 3.3, and updating existing pods to this version as well. Ruby 2.7 is EOL and no longer supported.
+
+## Changes to script/server for production pods
+
+If you're currently running your production pod with `./script/server` in a tmux or something similar, please be careful. We made some internal changes that result in the script no longer automatically restarting the server if it crashes - instead, it will just shut down. We strongly recommend running your pod using your system's unit manager, for example with [this systemd unit](https://wiki.diasporafoundation.org/Automatic_startup_methods#Recommended:_systemd).
+
+## Security
+
+* Fix a potential 2FA brute force attack ([CVE-2024-0227](https://github.com/devise-two-factor/devise-two-factor/security/advisories/GHSA-chcr-x7hc-8fp8)).
+ Thanks to Christian Reitter ([Radically Open Security](https://www.radicallyopensecurity.com/)) and Chris MacNaughton ([Centauri Solutions](https://centauri.solutions)).
+
+## Refactor
+* Add bootstrapping for using ECMAScript 6 with automatic transpiling for compatibility [#7581](https://github.com/diaspora/diaspora/pull/7581) [#8397](https://github.com/diaspora/diaspora/pull/8397)
+* Remove backporting of mention syntax [#7788](https://github.com/diaspora/diaspora/pull/7788)
+* Enable Content-Security-Policy header by default [#7781](https://github.com/diaspora/diaspora/pull/7781)
+* Do not show getting started after account import [#8036](https://github.com/diaspora/diaspora/pull/8036)
+* Remove the JSXC/Prosody integration [#8069](https://github.com/diaspora/diaspora/pull/8069) [#8341](https://github.com/diaspora/diaspora/pull/8341)
+* Replace `factory_girl` with `factory_bot` [#8218](https://github.com/diaspora/diaspora/pull/8218)
+* Drop relay support [#8243](https://github.com/diaspora/diaspora/pull/8243)
+* Use yarn to manage the frontend dependencies [#8364](https://github.com/diaspora/diaspora/pull/8364)
+* Upgrade to latest `diaspora_federation`, remove support for old federation protocol [#8368](https://github.com/diaspora/diaspora/pull/8368)
+* Remove support for `therubyracer` [#8337](https://github.com/diaspora/diaspora/issues/8337)
+* Replace `unicorn` with `puma` [#8392](https://github.com/diaspora/diaspora/pull/8392)
+* Drop `strip_exif` flag and always remove exif data from uploaded images [#8417](https://github.com/diaspora/diaspora/pull/8417)
+* Replace `apparition` with `cuprite` [#8418](https://github.com/diaspora/diaspora/pull/8418)
+* Remove `i18n-inflector-rails` for translations [#8420](https://github.com/diaspora/diaspora/pull/8420)
+* Add ruby 3 support [#8423](https://github.com/diaspora/diaspora/pull/8423) [#8426](https://github.com/diaspora/diaspora/pull/8426) [#8427](https://github.com/diaspora/diaspora/pull/8427) [#8448](https://github.com/diaspora/diaspora/pull/8448)
+* Add CORS headers to nodeinfo endpoints to allow for client-side fetching [#8436](https://github.com/diaspora/diaspora/pull/8436)
+* Replace eye with foreman [#8449](https://github.com/diaspora/diaspora/pull/8449)
+
+## Bug fixes
+* Fix multiple photos upload progress bar [#7655](https://github.com/diaspora/diaspora/pull/7655)
+* Photo-upload file picker now correctly restricts possible file types [#8205](https://github.com/diaspora/diaspora/pull/8205)
+* Make inline code inside links show the link color [#8387](https://github.com/diaspora/diaspora/pull/8387)
+* Fix fetching public posts on first account search was missing some data [#8390](https://github.com/diaspora/diaspora/pull/8390)
+* Add redirect from mobile UI photo URLs to post when not using mobile UI [#8400](https://github.com/diaspora/diaspora/pull/8400)
+* Escape mentions before markdown parsing in mobile UI [#8398](https://github.com/diaspora/diaspora/pull/8398)
+* Cleanup duplicate pods in database [#8403](https://github.com/diaspora/diaspora/pull/8403)
+* Fix scrolling issue after closing photo viewer on photos page [#8404](https://github.com/diaspora/diaspora/pull/8404)
+* Filter unicode emojis from email headers [#8421](https://github.com/diaspora/diaspora/pull/8421)
+* Do not show disabled services anymore [#8406](https://github.com/diaspora/diaspora/pull/8406)
+* Update search endpoint to be aware of ignored users [#8363](https://github.com/diaspora/diaspora/pull/8363)
+
+## Features
+* Add client-side cropping of profile image uploads [#7581](https://github.com/diaspora/diaspora/pull/7581)
+* Add client-site rescaling of post images if they exceed the maximum possible size [#7734](https://github.com/diaspora/diaspora/pull/7734)
+* Add backend for archive import [#7660](https://github.com/diaspora/diaspora/pull/7660) [#8254](https://github.com/diaspora/diaspora/pull/8254) [#8264](https://github.com/diaspora/diaspora/pull/8264) [#8010](https://github.com/diaspora/diaspora/pull/8010) [#8260](https://github.com/diaspora/diaspora/pull/8260) [#8302](https://github.com/diaspora/diaspora/pull/8302) [#8298](https://github.com/diaspora/diaspora/pull/8298)
+* For pods running PostgreSQL, make sure that no upper-case/mixed-case tags exist, and create a `lower(name)` index on tags to speed up ActsAsTaggableOn [#8206](https://github.com/diaspora/diaspora/pull/8206)
+* Allow podmins/moderators to see all local public posts to improve moderation [#8232](https://github.com/diaspora/diaspora/pull/8232) [#8320](https://github.com/diaspora/diaspora/pull/8320)
+* Add support for directly paste images to upload them [#8237](https://github.com/diaspora/diaspora/pull/8237)
+* Add support for webp images and convert new png/jpg to webp to save space and bandwidth [#8358](https://github.com/diaspora/diaspora/pull/8358)
+* Show total and active pods count in the pods list for podmins [#8383](https://github.com/diaspora/diaspora/pull/8383)
+* Allow to select multiple aspects when posting on mobile [#8217](https://github.com/diaspora/diaspora/pull/8217)
+* Add info links to drawer in mobile UI [#8405](https://github.com/diaspora/diaspora/pull/8405)
+* Tell users that there is no help in mobile version, allow to switch to desktop [#8407](https://github.com/diaspora/diaspora/pull/8407)
+* Add Smart App Banner on iOS devices [#8409](https://github.com/diaspora/diaspora/pull/8409)
+* Add a more detailed modal when reporting a post or a comment [#8035](https://github.com/diaspora/diaspora/pull/8035)
+* Re-introduce likes on comments [#8203](https://github.com/diaspora/diaspora/pull/8203) [#8439](https://github.com/diaspora/diaspora/pull/8439) [#8442](https://github.com/diaspora/diaspora/pull/8442)
+* New redesigned registration page [#8285](https://github.com/diaspora/diaspora/pull/8285)
+* Allow comments to be fetched [#8441](https://github.com/diaspora/diaspora/pull/8441)
+
 # 0.7.18.2
 
 To avoid potential security issues, diaspora\* now makes sure that ImageMagick image processing always runs with a restricted `policy.xml`, regardless of the global system settings.
@@ -78,7 +177,7 @@ To avoid potential security issues, diaspora\* now makes sure that ImageMagick i
 * Testing: Replaced phantomjs with headless Chrome/Chromium [#8234](https://github.com/diaspora/diaspora/pull/8234)
 
 ## Bug fixes
-* Update comment counter when weleting a comment in the Single Post View [#7938](https://github.com/diaspora/diaspora/pull/7938)
+* Update comment counter when deleting a comment in the Single Post View [#7938](https://github.com/diaspora/diaspora/pull/7938)
 * Link diaspora only poduptime list [#8174](https://github.com/diaspora/diaspora/pull/8174)
 * Delete a user's invitation code during account deletion [#8202](https://github.com/diaspora/diaspora/pull/8202)
 * Bump mimemagic [#8231](https://github.com/diaspora/diaspora/pull/8231)